Researchers compile list of vulnerabilities abused by ransomware gangs

Researchers compile list of vulnerabilities abused by ransomware gangs

Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks.

All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT (computer security incident response team), on Twitter over the weekend.

Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors.

While these bugs have been or still are exploited by one ransomware group or another in past and ongoing attacks, the list has also been expanded to include actively exploited flaws, as security researcher Pancak3 explained.

The list comes in the form of a diagram providing defenders with a starting point for shielding their network infrastructure from incoming ransomware attacks.

Vulnerabilities targeted by ransomware groups in 2021

This year alone, ransomware groups and affiliates have added multiple exploits to their arsenal, targeting actively exploited vulnerabilities.

For instance, this week, an undisclosed number of ransomware-as-a-service affiliates have started using RCE exploits targeting the recently patched Windows MSHTML vulnerability (CVE-2021-40444).

In early September, Conti ransomware also began targeting Microsoft Exchange servers, breaching enterprise networks using ProxyShell vulnerability exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

In August, LockFile started leveraging the PetitPotam NTLM relay attack method (CVE-2021-36942) to take over the Windows domain worldwide, Magniber jumped on the PrintNightmare exploitation train (CVE-2021-34527), and eCh0raix was spotted targeting both QNAP and Synology NAS devices (CVE-2021-28799).

HelloKitty ransomware targeted vulnerable SonicWall devices (CVE-2019-7481) in July, while REvil breached Kaseya’s network (CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120) and hit roughly 60 MSPs using on-premise VSA servers and 1,500 downstream business customers [1, 2, 3].

FiveHands ransomware was busy exploiting the CVE-2021-20016 SonicWall vulnerability before being patched…